[CentOS] Transparent Squid and FirewallD : fine-tuning question

Sat May 9 07:42:07 UTC 2020
Nicolas Kovacs <info at microlinux.fr>

Hi,

I just setup a very basic HTTP proxy with Squid on a router running CentOS 7.

Up until early 2020 I've been using a bone-headed shell script with iptables to
configure my firewall. But I decided to follow advice from a few gurus on this
list, and I've since moved my configurations to FirewallD, which works nicely.

There's one configuration left to tackle, that's port redirection for the Squid
proxy server. Which also works fine, though I'd like to figure out a little
detail. Here goes.

My router has two network interfaces, which I've aptly named WAN and LAN in the
NetworkManager configuration:

$ nmcli con show
NAME  UUID                                  TYPE      DEVICE
WAN   9574b606-8f6d-3edc-95ad-8165df0f3fce  ethernet  enp2s0
LAN   c726b168-1fcd-4dc5-a01d-8ad8a1ba38ee  ethernet  enp3s1

Squid is acting as a transparent proxy server:

$ sudo grep http_port /etc/squid/squid.conf
http_port 3128 transparent

In my firewall configuration, all requests to port 80 (HTTP) are redirected to
port 3128:

$ sudo firewall-cmd --permanent
--add-forward-port=port=80:proto=tcp:toport=3128:toaddr=192.168.3.1
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s1
  sources:
  services: dhcp dns http squid ssh
  ports:
  protocols:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=3128:toaddr=192.168.3.1
  source-ports:
  icmp-blocks:
  rich rules:

In the current state, this configuration works as expected. When a client
desktop in the 192.168.3.0/24 network browses HTTP sites on the web, it appears
in the Squid log on the server in /var/log/squid/access.log.

And here comes the question. How can I redirect all HTTP requests to port 3128
EXCEPT THOSE THAT ARE DIRECTLY AIMED AT THE PROXY SERVER?

Here's the thing. The proxy server (amandine.sandbox.lan) is also running httpd
to display a static information page for the local network. Now client desktops
can access http://amandine.sandbox.lan in a web browser just fine. But this
still goes through the proxy, and I'd like these requests to rather be handled
directly.

In iptables syntax this would vaguely look like this:

$ iptables -A PREROUTING -t nat -i 192.168.3.1 -p tcp \
  ! -d 192.168.3.1 --dport 80 -j REDIRECT --to-port 3128

How can I translate the "! -d 192.168.3.1" part into some FirewallD-specific
syntax ?

Cheers from the sunny South of France,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12